Spring Security 3.1

This book demonstrates how to secure your Java applications from hackers using Spring Security 3.1. With plenty of handholding, it takes you step by step through every stage, accompanied by sample code and useful screenshots.

Spring Security 3.1

Starting
Robert Winch, Peter Mularien

This book demonstrates how to secure your Java applications from hackers using Spring Security 3.1. With plenty of handholding, it takes you step by step through every stage, accompanied by sample code and useful screenshots.
$29.99
$49.99
RRP $29.99
RRP $49.99
eBook
Print + eBook
$12.99 p/month

Get Access

Get Unlimited Access to every Packt eBook and Video course

Enjoy full and instant access to over 3000 books and videos – you’ll find everything you need to stay ahead of the curve and make sure you can always get the job done.

Book Details

ISBN 139781849518260
Paperback456 pages

About This Book

  • Learn to leverage the power of Spring Security to keep intruders at bay through simple examples that illustrate real world problems
  • Each sample demonstrates key concepts allowing you to build your knowledge of the architecture in a practical and incremental way
  • Filled with samples that clearly illustrate how to integrate with the technologies and frameworks of your choice

Who This Book Is For

This book is intended for Java web developers and assumes a basic understanding of creating Java web applications, XML, and the Spring Framework. You are not assumed to have any previous experience with Spring Security.

Table of Contents

Chapter 1: Anatomy of an Unsafe Application
Security audit
About the sample application
The JBCP calendar application architecture
Application technology
Reviewing the audit results
Authentication
Authorization
Database credential security
Sensitive information
Transport-level protection
Using Spring Security 3.1 to address security concerns
Why Spring Security
Summary
Chapter 2: Getting Started with Spring Security
Hello Spring Security
A little bit of polish
Summary
Chapter 3: Custom Authentication
JBCP Calendar architecture
Logging in new users using SecurityContextHolder

Creating a custom UserDetailsService object
Creating a custom AuthenticationProvider object
Which authentication method to use
Summary
Chapter 4: JDBC-based Authentication
Using Spring Security's default JDBC authentication
UserDetailsManager
Group-based access control
Support for a custom schema
Configuring secure passwords
Summary
Chapter 5: LDAP Directory Services
Understanding LDAP
LDAP
Common LDAP attribute names
Updating our dependencies
Configuring embedded LDAP integration
Configuring an LDAP server reference
Troubleshooting embedded LDAP
Understanding how Spring LDAP authentication works
Authenticating user credentials
Binding anonymously to LDAP
Searching for the user
Binding as a user to LDAP
Determining user role membership
Mapping additional attributes of UserDetails
Advanced LDAP configuration
Sample JBCP LDAP users
Configuring basic password comparison
LDAP password encoding and storage
Configuring UserDetailsContextMapper
Viewing additional user details
Using an alternate password attribute
Using LDAP as UserDetailsService
Configuring LdapUserDetailsService
Integrating with an external LDAP server
Explicit LDAP bean configuration
Configuring LdapAuthenticationProvider
Integrating with Microsoft Active Directory via LDAP
Summary
Chapter 6: Remember-me Services
What is remember-me
Dependencies
The token-based remember-me feature
Is remember-me secure
Persistent remember-me
Remember-me architecture
Restricting the remember-me feature to an IP address
Summary
Chapter 7: Client Certificate Authentication
How client certificate authentication works
Setting up client certificate authentication infrastructure
Configuring client certificate authentication in Spring Security
Configuring client certificate authentication using Spring Beans
Considerations when implementing Client Certificate authentication
Summary
Chapter 8: Opening up to OpenID
The promising world of OpenID
Signing up for an OpenID
Enabling OpenID authentication with Spring Security
Additional required dependencies
The OpenID user registration problem
Implementing user registration with OpenID
Attribute Exchange
Usability enhancements
Automatic redirection to the OpenID Provider
Is OpenID Secure
Summary
Chapter 9: Single Sign-on with Central Authentication Service
Introducing Central Authentication Service
Configuring basic CAS integration
Single logout
Proxy ticket authentication for stateless services
Customizing the CAS Server
Getting UserDetails from a CAS assertion
Additional CAS capabilities
Summary
Chapter 10: Fine-grained Access Control
Maven dependencies
Spring Expression Language (SpEL) integration
Page-level authorization
Method-level security
Summary
Chapter 11: Access Control Lists
Using access control lists for business object security
Basic configuration of Spring Security ACL support
Advanced ACL topics
Custom ACL permission declaration
Mutable ACLs and authorization
Considerations for a typical ACL deployment
Should I use Spring Security ACL
Summary
Chapter 12: Custom Authorization
How requests are authorized
Configuring to use a UnanimousBased access decision manager
Customizing request authorization
Creating a custom PermissionEvaluator
Summary
Chapter 13: Session Management
Configuring session fixation protection
Restricting the number of concurrent sessions per user
How Spring Security uses the HttpSession
Summary
Chapter 14: Integrating with Other Frameworks
Integrating with Java Server Faces (JSF)
Google Web Toolkit (GWT) integration
Summary
Chapter 15: Migration to Spring Security 3.1
Migrating from Spring Security 2
Enhancements in Spring Security 3
Changes to configuration in Spring Security 3
Changes to CustomAfterInvocationProvider
Changes to packages and classes
Updates in Spring Security 3.1
Summary

What You Will Learn

  • Understand common security vulnerabilities and how to resolve them
  • Implement authentication and authorization
  • Learn to utilize existing corporate infrastructure such as LDAP, Active Directory, Kerberos, and CAS
  • Integrate with popular frameworks such as Spring, JSF, GWT, Maven, and Spring Roo
  • Architect solutions that leverage the full power of Spring Security while remaining loosely coupled
  • Implement common scenarios such as supporting existing user stores, user sign up, and supporting AJAX requests

In Detail

Knowing that experienced hackers are itching to test your skills makes security one of the most difficult and high-pressure concerns of creating an application. The complexity of properly securing an application is compounded when you must also integrate this factor with existing code, new technologies, and other frameworks. Use this book to easily secure your Java application with the tried and trusted Spring Security framework, a powerful and highly customizable authentication and access-control framework.

"Spring Security 3.1" is an incremental guide that will teach you how to protect your application from malicious users. You will learn how to cleanly integrate Spring Security into your application using the latest technologies and frameworks with the help of detailed examples.

This book is centred around a security audit of an insecure application and then modifying the sample to resolve the issues found in the audit.

The book starts by integrating a variety of authentication mechanisms. It then demonstrates how to properly restrict access to your application. It concludes with tips on integrating with some of the more popular web frameworks. An example of how Spring Security defends against session fixation, moves into concurrency control, and how you can utilize session management for administrative functions is also included.

"Spring Security 3.1" will ensure that integrating with Spring Security is seamless from start to finish.

Authors

Table of Contents

Chapter 1: Anatomy of an Unsafe Application
Security audit
About the sample application
The JBCP calendar application architecture
Application technology
Reviewing the audit results
Authentication
Authorization
Database credential security
Sensitive information
Transport-level protection
Using Spring Security 3.1 to address security concerns
Why Spring Security
Summary
Chapter 2: Getting Started with Spring Security
Hello Spring Security
A little bit of polish
Summary
Chapter 3: Custom Authentication
JBCP Calendar architecture
Logging in new users using SecurityContextHolder

Creating a custom UserDetailsService object
Creating a custom AuthenticationProvider object
Which authentication method to use
Summary
Chapter 4: JDBC-based Authentication
Using Spring Security's default JDBC authentication
UserDetailsManager
Group-based access control
Support for a custom schema
Configuring secure passwords
Summary
Chapter 5: LDAP Directory Services
Understanding LDAP
LDAP
Common LDAP attribute names
Updating our dependencies
Configuring embedded LDAP integration
Configuring an LDAP server reference
Troubleshooting embedded LDAP
Understanding how Spring LDAP authentication works
Authenticating user credentials
Binding anonymously to LDAP
Searching for the user
Binding as a user to LDAP
Determining user role membership
Mapping additional attributes of UserDetails
Advanced LDAP configuration
Sample JBCP LDAP users
Configuring basic password comparison
LDAP password encoding and storage
Configuring UserDetailsContextMapper
Viewing additional user details
Using an alternate password attribute
Using LDAP as UserDetailsService
Configuring LdapUserDetailsService
Integrating with an external LDAP server
Explicit LDAP bean configuration
Configuring LdapAuthenticationProvider
Integrating with Microsoft Active Directory via LDAP
Summary
Chapter 6: Remember-me Services
What is remember-me
Dependencies
The token-based remember-me feature
Is remember-me secure
Persistent remember-me
Remember-me architecture
Restricting the remember-me feature to an IP address
Summary
Chapter 7: Client Certificate Authentication
How client certificate authentication works
Setting up client certificate authentication infrastructure
Configuring client certificate authentication in Spring Security
Configuring client certificate authentication using Spring Beans
Considerations when implementing Client Certificate authentication
Summary
Chapter 8: Opening up to OpenID
The promising world of OpenID
Signing up for an OpenID
Enabling OpenID authentication with Spring Security
Additional required dependencies
The OpenID user registration problem
Implementing user registration with OpenID
Attribute Exchange
Usability enhancements
Automatic redirection to the OpenID Provider
Is OpenID Secure
Summary
Chapter 9: Single Sign-on with Central Authentication Service
Introducing Central Authentication Service
Configuring basic CAS integration
Single logout
Proxy ticket authentication for stateless services
Customizing the CAS Server
Getting UserDetails from a CAS assertion
Additional CAS capabilities
Summary
Chapter 10: Fine-grained Access Control
Maven dependencies
Spring Expression Language (SpEL) integration
Page-level authorization
Method-level security
Summary
Chapter 11: Access Control Lists
Using access control lists for business object security
Basic configuration of Spring Security ACL support
Advanced ACL topics
Custom ACL permission declaration
Mutable ACLs and authorization
Considerations for a typical ACL deployment
Should I use Spring Security ACL
Summary
Chapter 12: Custom Authorization
How requests are authorized
Configuring to use a UnanimousBased access decision manager
Customizing request authorization
Creating a custom PermissionEvaluator
Summary
Chapter 13: Session Management
Configuring session fixation protection
Restricting the number of concurrent sessions per user
How Spring Security uses the HttpSession
Summary
Chapter 14: Integrating with Other Frameworks
Integrating with Java Server Faces (JSF)
Google Web Toolkit (GWT) integration
Summary
Chapter 15: Migration to Spring Security 3.1
Migrating from Spring Security 2
Enhancements in Spring Security 3
Changes to configuration in Spring Security 3
Changes to CustomAfterInvocationProvider
Changes to packages and classes
Updates in Spring Security 3.1
Summary

Book Details

ISBN 139781849518260
Paperback456 pages
Read More